Problem/Motivation
Currently, when a new user registers for a Drupal account the details are sent to the user's supplied email address. This provides a basic mechanism that confirms the user is at that email address. However, once registered, users are permitted to change their email address without further confirming that the user is in fact at that email address.
Possible implications
- A user can change their email address to be that of an unsuspecting third party as no confirmation of change is required. Using a second Drupal account (with it's email address also faked using the same method) the first user is then able to send anonymous malicious messages to the unsuspecting third party
- A slow method for sending spam but exploitable none the less
Proposed resolution
Add a mechanism (similar to reset password) that:
- Sends an E-mail to the new address requiring the verification of the new address (similar to register confirmation).
- Sends a notification E-mail to the old address.
- Allow the site builder to customise both messages at
admin/config/people/accounts - Provides an update path to set the default behaviour and messages content.
- Write tests.
This new mechanism is bypassed if the e-mail address is changed by an administrator.
Remaining tasks
- #279.2:
Seems to be fixed as well as possible right now given limitations of other issues.Raise a follow-on issue to tidy up once other issues have been fixed. #279.6: Add a test - see further explanation in #284Release note snippet for IS.#345 test #2 outstanding- Not easy to test as involves email send failure - code seems OK#347 unaddressed- Addressed around #356, with new test included- Security review.
- Follow-up questions from #270: (Potentially follow up change as there are other potential improvements in #358 that would resolve a lot of these and go further to improve UX)
- Should there be some indication that additional form fields are available once checked? (NOTE: Same issue in Account Canceled email form)
- Should the suggestions exist prior to checking the box? (NOTE: Same issue in Account Canceled email form)
- Should we make the request visible as pending to user and/or admin until completion?
- Should there be visible history (related question, are users revisionable)?
- Follow-up questions from #272:
Should there be an exception for admin users changing their own email?- In #312 noted admin users are generally able to do a lot of things without checks, including remove their own rights, so already trustworthy to set a new email correctly without needing to verify it
User interface changes
New UI additions to admin/config/people/accounts:
New confirmation message (warning) when user changes e-mail address:
Default text of the generated e-mail (some elements will vary):
alice,
A request to change your email address has been made at Drupal Usability. You
need to verify the change by clicking on the link below or copying and
pasting it in your browser:http://drupalux.lndo.site/user/mail-change/2/alice%40example.org/1542687...
This is a one-time URL, so it can be used only once. It expires after one
day. If not used, your email address at Drupal Usability will not change.
After using the one-time link, the user is redirected to the site's home page, with the message (info)
Your email address has been changed to alice@example.org.
API changes
New controller used for mail changing: \Drupal\user\Controller\MailChangeController
Data model changes
New schema for configs user.settings and user.mail.
Release notes snippet
When users wishes to change their email, they must now verify the email belongs to them using a link sent to that address. This behavior is enabled by default on new installations but disabled by default on existing installations. Review the change record for more information.